A little guidance - TI Xenix

From: Ward Griffiths and/or Lisa Rogers <gram_at_cnct.com>
Date: Sat Jun 14 17:59:32 1997

On Fri, 13 Jun 1997, Captain Napalm wrote:
> The first is via sendmail. There used to be a way to get into a debugging
> mode and have sendmail run arbitrary commands, and since it often ran as
> root, this was one way someone could break into a system. The debug mode of
> sendmail is the "wizard" mode, but I came onto the e-mail scene just after
> this hole was closed (after the Robert Morris Internet Worm of '88). I
> don't know more than that, sorry.

sendmail wasn't part of Xenix in those days -- all networking aside from
uucp was extra, and mostly still being developed.

> The second requires the Intel 386 Assembly and assumes you have fingerd
> running (has to be fingerd). What this entails is feeding the fingerd
> program too much information, which overwrites the program stack. With
> careful programming, the excess information can be code that will then run
> arbitrary commands (since fingerd often runs as root). This will also
> require you to know where in memory the executable is loaded into so you
> provide a valid return address on the stack.

No fingerd, either. Or _any_ real networking daemons in Xenix at the

> If you don't have either of those, try finding an interactive setuid root
> program you can run, as it too, may be possible to overrun an input buffer.

No real holes that I remember from Xenix in that era -- amazingly secure
for a Unix port in those days.

> There may be easier ways, I just don't know of them offhand (do you have
> access to another Xenix system? Could you mount your drives to it? Can you
> boot MS-DOS on it (from the floppy)? If so, you might be able to use Norton
> Utilities to scan the harddrive for the password file and modify it there
> (and if not Norton, then some other low level disk editor program)).

Well, I know that the setuid hole in Profile 16 for Tandy 68000 Xenix
was never fixed. But filePro 16plus for the 386 version didn't have it.

Back when I broke into over half the Tandy 6000 systems in the Radio
Shack Area Training and Support Offices in 1986 (by invitation from
management -- I'm a hacker, not a cracker) my tools were lists of the
employees' names (works nine out of ten times) and knowledge of the
hole in Profile 16. Which I'd already published a fix for. (An
expanded version of which is available in CIS UNIXFORUM under the
filename SECURE.MS -- I'd delete it, but the account with authority to
do so is ancient history).
Ward Griffiths
"America is at that awkward stage.  It's too late to work within 
the system, but too early to shoot the bastards." --Claire Wolfe
Received on Sat Jun 14 1997 - 17:59:32 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:30:29 BST